[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via af53df6cd6e python/samba/tests: Fix incorrect super-class in cred_opt.py setUp() via 0f2ff51a4b4 python/samba/tests: Fix incorrect superclass in test_min_domain_uid.py via 42e78285632 python: Correct Python2 super() calls that called the wrong class via 6ac48336780 python: tests: update all super calls to python 3 style in tests via e8fda61a57f python: get rid of pointless empty overridden methods via 983f222e382 python: Use constants from hresult.h for python constants via b14ead30da3 python: move HRES_SEC_* constants to samba module via 1a45e49b5f6 python: tests: make HRES_SEC_E_* constant an int via 6bcfcacd536 python: PEP275: docstrings should always use double quotes via 35d71bfc6f5 python: fix missing colon around param in docstring from 72c6f38e9fe lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit af53df6cd6e21f7394bb4b638e398588c8495127 Author: Andrew Bartlett Date: Thu Nov 30 13:31:33 2023 +1300 python/samba/tests: Fix incorrect super-class in cred_opt.py setUp() This will allow TEST_DEBUG_LEVEL to work in this test. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 30 02:03:05 UTC 2023 on atb-devel-224 commit 0f2ff51a4b4884ada7335cba73dc516e8475f356 Author: Andrew Bartlett Date: Thu Nov 30 13:28:56 2023 +1300 python/samba/tests: Fix incorrect superclass in test_min_domain_uid.py This was not intentional as far as can be determined. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 42e7828563220f7c7f281f68c3cdcd529e6f6ef8 Author: Andrew Bartlett Date: Thu Nov 30 13:22:18 2023 +1300 python: Correct Python2 super() calls that called the wrong class These changes have been checked as safe as skipping a superclass has no actual impact. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 6ac48336780813cd5cb0cd9e5b5f1355aa342096 Author: Rob van der Linde Date: Tue Nov 28 16:38:22 2023 +1300 python: tests: update all super calls to python 3 style in tests Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett [abart...@samba.org Some python2 style super() calls remain due to being an actual, even if reasonable, behaviour change] commit e8fda61a57fbec996aa05eff8e696057237c7be0 Author: Rob van der Linde Date: Tue Nov 28 15:59:41 2023 +1300 python: get rid of pointless empty overridden methods Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 983f222e382dfd2cf9df202f0645bdb1ec8a62ed Author: Andrew Bartlett Date: Thu Nov 30 10:37:13 2023 +1300 python: Use constants from hresult.h for python constants This encourages us to keep a single source for constants. In the future this should be a generated python file like for ntstatus. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit b14ead30da3fa6a12412ce97724daebb3cc3ebfa Author: Rob van der Linde Date: Tue Nov 28 15:13:21 2023 +1300 python: move HRES_SEC_* constants to samba module Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1a45e49b5f6286f8a5071536e5a780322b7e1e9c Author: Rob van der Linde Date: Wed Nov 29 16:00:13 2023 +1300 python: tests: make HRES_SEC_E_* constant an int Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6bcfcacd536f8fb82aacd533f39b74e663bd343d Author: Rob van der Linde Date: Tue Nov 28 15:11:12 2023 +1300 python: PEP275: docstrings should always use double quotes Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 35d71bfc6f5cf379ac64a289bf97a6e4ddac1d20 Author: Rob van der Linde Date: Tue Nov 28 15:02:00 2023 +1300 python: fix missing colon around param in docstring Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: python/pyglue.c| 5 ++ python/samba/__init__.py | 5 +- python/samba/tests/__init__.py | 6 +- python/samba/tests/audit_log_base.py | 2 +- python/samba/tests/audit_log_dsdb.py | 4 +- python/samba/tests/audit_log_pass_change.py| 5 +- python/samba/tests/auth.py
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 72c6f38e9fe lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors via 017c90e1bac lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key() via cd1168a1319 lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths via 6b5ccd25083 lib:crypto: Clean up HMAC handle in one place via b1c6a93085a lib:crypto: Add missing call to gnutls_hmac_deinit() via 19f2365c6a0 lib:crypto: Add common out path to samba_gnutls_sp800_108_derive_key() via 014f606099b lib:crypto: Split out core of samba_gnutls_sp800_108_derive_key() via 5f5b5b75ca5 lib:crypto: Add tests for samba_gnutls_sp800_108_derive_key() via 04b6dc8d0bb lib:crypto: Add samba_gnutls_sp800_108_derive_key() via 2c4b014b9ae lib:crypto: Remove unused variable via 768178be708 lib:crypto: Remove unused imports via 30be2446ed1 libcli/smb: Add ‘algorithm’ parameter to smb2_key_derivation() via b5b21579844 libcli/auth: Return more consistent status code on gnutls HMAC failure via 150a6ca38ab auth/gensec: Return more consistent status codes on gnutls hashing failure via 1e07da1cfe1 s4:utils: Use correct enumeration constant via 33167207d24 s4:utils: Remove trailing whitespace via 99ded98b394 s4:libcli: Call correct function to get HMAC output length via 769b6527526 s4:libcli: Remove trailing whitespace via 5d53ac8af07 libcli/smb: Call correct function to get HMAC output length via 2482a714cf2 libcli/auth: Call correct function to get HMAC output length via cee483fd4a0 libcli/auth: Use correct enumeration constant via 4bb031f8755 libcli/smb: Include missing headers via acb67bd93ed selftest: Remove knownfail entries for non‐existent tests via 187d3baab3c librpc:ndr: Use correct libndr flags type via 79f6da42128 librpc:ndr: Remove trailing whitespace via 5571116ba0a docs-xml: Add missing closing parenthesis via e3f81fa71ee pidl: Make sure to cast whole expressions via 59b94325248 conditional_ace.idl: Fix undefined shift via 3da132a8dfb pidl: Fix subscripts of dereferenced arrays via dbc9c9bd128 pidl: Remove unneeded casts via 561537adbbb pidl: Fix grammar in warning message via 25988f5d259 pidl: Remove trailing whitespace via 9d7bce5bbbd pidl: Remove unused imports from c4a5d4eb62f third_party: Update waf to version 2.0.26 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 72c6f38e9fe158ab639622da7a8a29d666b992b1 Author: Joseph Sutton Date: Thu Nov 23 16:54:12 2023 +1300 lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 30 01:03:29 UTC 2023 on atb-devel-224 commit 017c90e1bac09afb33fbd4b6b87208f27f692820 Author: Joseph Sutton Date: Wed Nov 29 15:46:30 2023 +1300 lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key() Our code won’t use this, but NIST’s test vectors are based on handing a fixed buffer to the key derivation function. View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cd1168a131931abb7043f5b108da9aaa2094e391 Author: Joseph Sutton Date: Wed Nov 29 12:44:10 2023 +1300 lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6b5ccd2508312e9c89262a123203c8eb7e25839d Author: Joseph Sutton Date: Wed Nov 29 12:27:03 2023 +1300 lib:crypto: Clean up HMAC handle in one place This is less error prone than having to ensure it’s cleaned up in every error path. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b1c6a93085a3eb324976375be6e441be28c9f846 Author: Joseph Sutton Date: Wed Nov 29 12:29:58 2023 +1300 lib:crypto: Add missing call to gnutls_hmac_deinit() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 19f2365c6a0cbc07d9e2301c3ab205b00787830e Author: Joseph Sutton Date: Wed Nov 29 12:28:10 2023 +1300 lib:crypto: Add common out path to samba_gnutls_sp800_108_derive_key() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 014f606099b787cb13f965aa2950399c75767033 Author: Joseph Sutton Date: Wed Nov 29 11:49:19 2023 +1300 lib:crypto: Split out core of samba_gnutls_sp800_108_derive_key() We are going to need to alter the structure of this function a little bit. Signed-off-by:
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via e4505c10a76 testprogs: Add net offlinejoin composeodj tests via 4deac6a2170 testprogs: Cleanup machine account in net offlinejoin tests via 89e830251d0 s3:net: Allow to load ODJ blob from stdin via 152d2592f0f s3:net: Load ODJ blob from file only if "loadfile" parameter is present via df294c92acb s3:net: Add "net offlinejoin composeodj" command via 4f81c780125 s3:libnetapi: Implement NetComposeOfflineDomainJoin_l() via 224b8dffe80 s3:libnetapi: Add NetComposeOfflineDomainJoin() to API. via dfa8dfaa752 s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate via 202b817f7be s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL via 0f324795d24 s3:libnetapi: Add some comments to document ODJ blob charset conversions via 1f91db224fa s3:libnetapi: Return error from RequestOfflineJoin from f45acdafa90 VERSION: Bump version up to Samba 4.19.4... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit e4505c10a766498aa1ea3817dad30b26db287f0f Author: Samuel Cabrero Date: Mon Sep 4 16:49:52 2023 +0200 testprogs: Add net offlinejoin composeodj tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Sep 5 22:11:46 UTC 2023 on atb-devel-224 (cherry picked from commit f3c632e74ba100b455eeac66e8914b11d1d9b0a0) Autobuild-User(v4-19-test): Jule Anger Autobuild-Date(v4-19-test): Wed Nov 29 15:59:17 UTC 2023 on atb-devel-224 commit 4deac6a21701ceedf2d8a243a00167fbc31e4b30 Author: Samuel Cabrero Date: Mon Sep 4 16:18:35 2023 +0200 testprogs: Cleanup machine account in net offlinejoin tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit e92e4b9544231c15eaf0bdbba4505345cd0f6ab5) commit 89e830251d0c0e40cfbe3ef5c57f0b0eb6724068 Author: Samuel Cabrero Date: Wed Aug 30 20:53:18 2023 +0200 s3:net: Allow to load ODJ blob from stdin BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit c14a4f51443f67bc46a670a342eed8cb9e81f37d) commit 152d2592f0f2646d923d8bef158705a516bd8308 Author: Samuel Cabrero Date: Wed Aug 30 20:25:17 2023 +0200 s3:net: Load ODJ blob from file only if "loadfile" parameter is present BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit b2399b6994c89404f245e1a97ba1c1cf13d7fc86) commit df294c92acb0b96949d85f25753c303430c9266a Author: Samuel Cabrero Date: Thu Aug 31 12:46:52 2023 +0200 s3:net: Add "net offlinejoin composeodj" command BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit 4a1f2071a6028a761bbe7efee20e9654851b51f0) commit 4f81c7801255e1141974e0ee70683b66b3e84d08 Author: Samuel Cabrero Date: Thu Aug 31 12:45:42 2023 +0200 s3:libnetapi: Implement NetComposeOfflineDomainJoin_l() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit a8bd8f22aac2c223e85e318dba7af8b64052b053) commit 224b8dffe802a7bd8875871726857c78c86bbfeb Author: Samuel Cabrero Date: Thu Aug 31 12:44:26 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() to API. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit 7cabbec2eaf5aefd3751c635c12556eca590f506) commit dfa8dfaa752789ce3e1f3c117823c3bd952e1942 Author: Samuel Cabrero Date: Thu Aug 31 12:43:22 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit 532701e3cce9d15e95166ee7c24cd1e4af51fcc4) commit 202b817f7be069d887b3e07c2bbcdf0fca2b1c7a Author: Samuel Cabrero Date: Thu Aug 31 12:39:04 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit 740e704bd68a6b618b62336ba1583c0edeb82d6f) commit 0f324795d24110bd19b495f6bf684a02f6181cc9 Author: Samuel Cabrero Date: Mon Sep 4 10:47:06 2023 +0200 s3:libnetapi: Add some comments to document ODJ blob
[SCM] Samba Shared Repository - branch v4-18-test updated
The branch, v4-18-test has been updated via 0a8cf4f1c06 testprogs: Add net offlinejoin composeodj tests via ce29bbfb7db testprogs: Cleanup machine account in net offlinejoin tests via 69475590970 s3:net: Allow to load ODJ blob from stdin via 1f066b595f9 s3:net: Load ODJ blob from file only if "loadfile" parameter is present via ca6ba984095 s3:net: Add "net offlinejoin composeodj" command via 4e43af11c3a s3:libnetapi: Implement NetComposeOfflineDomainJoin_l() via ad2196fd792 s3:libnetapi: Add NetComposeOfflineDomainJoin() to API. via fddbff3d44a s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate via a85441249de s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL via f8021a241e5 s3:libnetapi: Add some comments to document ODJ blob charset conversions via f731d75081f s3:libnetapi: Return error from RequestOfflineJoin from 6c06c9ed427 VERSION: Bump version up to Samba 4.18.10... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log - commit 0a8cf4f1c067754e3f9805f1365d43b8acdeb322 Author: Samuel Cabrero Date: Mon Sep 4 16:49:52 2023 +0200 testprogs: Add net offlinejoin composeodj tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Sep 5 22:11:46 UTC 2023 on atb-devel-224 (cherry picked from commit f3c632e74ba100b455eeac66e8914b11d1d9b0a0) Autobuild-User(v4-18-test): Jule Anger Autobuild-Date(v4-18-test): Wed Nov 29 15:55:45 UTC 2023 on atb-devel-224 commit ce29bbfb7db31c69d5d73bb0ca89e6754ffe7e6d Author: Samuel Cabrero Date: Mon Sep 4 16:18:35 2023 +0200 testprogs: Cleanup machine account in net offlinejoin tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit e92e4b9544231c15eaf0bdbba4505345cd0f6ab5) commit 69475590970e2bfc7ee78f6b8c1edfbbe3060276 Author: Samuel Cabrero Date: Wed Aug 30 20:53:18 2023 +0200 s3:net: Allow to load ODJ blob from stdin BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit c14a4f51443f67bc46a670a342eed8cb9e81f37d) commit 1f066b595f968a59bdff52b5a54dffa555f832d6 Author: Samuel Cabrero Date: Wed Aug 30 20:25:17 2023 +0200 s3:net: Load ODJ blob from file only if "loadfile" parameter is present BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit b2399b6994c89404f245e1a97ba1c1cf13d7fc86) commit ca6ba984095512e187528024eee18e3fd9cd9a8c Author: Samuel Cabrero Date: Thu Aug 31 12:46:52 2023 +0200 s3:net: Add "net offlinejoin composeodj" command BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit 4a1f2071a6028a761bbe7efee20e9654851b51f0) commit 4e43af11c3aa7331789b64e5e7a32287dc67ce0a Author: Samuel Cabrero Date: Thu Aug 31 12:45:42 2023 +0200 s3:libnetapi: Implement NetComposeOfflineDomainJoin_l() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit a8bd8f22aac2c223e85e318dba7af8b64052b053) commit ad2196fd79247dd133cbba3a5bf39721e741699e Author: Samuel Cabrero Date: Thu Aug 31 12:44:26 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() to API. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit 7cabbec2eaf5aefd3751c635c12556eca590f506) commit fddbff3d44adcfa6715afe0a62d0fd49ed890e7b Author: Samuel Cabrero Date: Thu Aug 31 12:43:22 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit 532701e3cce9d15e95166ee7c24cd1e4af51fcc4) commit a85441249de22d2b707bf9a6877720da78f31ea6 Author: Samuel Cabrero Date: Thu Aug 31 12:39:04 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett (cherry picked from commit 740e704bd68a6b618b62336ba1583c0edeb82d6f) commit f8021a241e50a20cd009fe2ad58e01133360e4e9 Author: Samuel Cabrero Date: Mon Sep 4 10:47:06 2023 +0200 s3:libnetapi: Add some comments to document ODJ blob
[SCM] Samba Shared Repository - branch v4-18-stable updated
The branch, v4-18-stable has been updated via 2669b77d97b VERSION: Disable GIT_SNAPSHOT for the 4.18.9 release. via 2e5bc96588c WHATSNEW: Add release notes for Samba 4.18.9. via be0b6c4b807 vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions via 66259b50c17 vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions via 11523b490c5 nfs4_acls: Make fstat_with_cap_dac_override static via f9d4855b1ac nfs4_acls: Make stat_with_cap_dac_override static via 6090ebfa5c1 nfs4_acls: Make fstatat_with_cap_dac_override static via 3241127482d vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function via 790363f076f vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function via 8ca3c4839fe vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function via cf8f5bdf956 vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function via 776091ad50f vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function via 53e4d90dbd1 vfs_gpfs: Move fstatat_with_cap_dac_override to nfs4_acls.c via f00db2a13b7 nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE via 619eb761344 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat via fedb492e868 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstat via ddef013da21 vfs_gpfs: Move fstatat with DAC_CAP_OVERRIDE to helper function via 71bf59691f5 vfs_gpfs: Use O_PATH for opening dirfd for stat with CAP_DAC_OVERRIDE via d522d15c82b smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor() via a2ad66e4933 system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable via 9a5b46d89e2 s3: smbd: Ignore fstat() error on deleted stream in fd_close(). via cbbfc917b96 CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers via f967b91da76 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container via edac27f5408 CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry() via 74a508b39e6 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container via 46a168c9a89 CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files via e884fc791e5 CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor() via 8e33532980d gitignore: add WAF lockfile via acf4286fbed build: Add 'make printversion' to provide version string via 653984f4a6d ctdb-daemon: Call setproctitle_init() via b9b0d8bc0f0 VERSION: Bump version up to Samba 4.18.9... via d709251a392 Merge branch 'v4-18-stable' into v4-18-test via ca1b7c185ed VERSION: Bump version up to Samba 4.18.8... from 3dc0412a79f Merge tag 'samba-4.18.8' into v4-18-stable https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-stable - Log - --- Summary of changes: .gitignore | 1 + Makefile | 4 + VERSION| 2 +- WHATSNEW.txt | 124 - ctdb/server/ctdbd.c| 2 + python/samba/dbchecker.py | 27 +++- python/samba/descriptor.py | 25 +++- python/samba/provision/__init__.py | 5 + python/samba/provision/sambadns.py | 4 + selftest/knownfail.d/samba4.ldap.confidential_attr | 1 + source3/lib/system.c | 31 - source3/modules/nfs4_acls.c| 149 + source3/modules/nfs4_acls.h| 16 +++ source3/modules/vfs_aixacl2.c | 4 + source3/modules/vfs_gpfs.c | 76 +-- source3/modules/vfs_zfsacl.c | 4 + source3/smbd/files.c | 24 ++-- source3/smbd/open.c| 15 ++- source4/dsdb/samdb/ldb_modules/dirsync.c | 53 +--- ...eck-link-output-missing-link-sid-corruption.txt | 8 +- .../expected-links-after-dbcheck.ldif | 2 +- .../release-4-5-0-pre1/rootdse-version.final.txt | 2 +- source4/setup/provision.ldif | 1 + source4/setup/provision_configuration.ldif | 1 + source4/setup/provision_dnszones_add.ldif | 1 + testprogs/blackbox/dbcheck-links.sh| 12 ++ wscript| 5 + 27 files changed, 450 insertions(+), 149 deletions(-) create mode 100644
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated
via 646794f NEWS[4.18.9]: Samba 4.18.9 Available for Download
from a6c387d NEWS[4.19.3]: Samba 4.19.3 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -
commit 646794fdb03fefd1083261fa6cea91348ce7801d
Author: Jule Anger
Date: Wed Nov 29 15:36:00 2023 +0100
NEWS[4.18.9]: Samba 4.18.9 Available for Download
Signed-off-by: Jule Anger
---
Summary of changes:
history/header_history.html | 1 +
history/{samba-4.19.3.html => samba-4.18.9.html} | 36 +++-
posted_news/20231129-143633.4.18.9.body.html | 13 +
posted_news/20231129-143633.4.18.9.headline.html | 3 ++
4 files changed, 34 insertions(+), 19 deletions(-)
copy history/{samba-4.19.3.html => samba-4.18.9.html} (76%)
create mode 100644 posted_news/20231129-143633.4.18.9.body.html
create mode 100644 posted_news/20231129-143633.4.18.9.headline.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 05d409d..257e16c 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -13,6 +13,7 @@
samba-4.19.2
samba-4.19.1
samba-4.19.0
+ samba-4.18.9
samba-4.18.8
samba-4.18.7
samba-4.18.6
diff --git a/history/samba-4.19.3.html b/history/samba-4.18.9.html
similarity index 76%
copy from history/samba-4.19.3.html
copy to history/samba-4.18.9.html
index 584e293..239288b 100644
--- a/history/samba-4.19.3.html
+++ b/history/samba-4.18.9.html
@@ -2,27 +2,27 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
http://www.w3.org/1999/xhtml;>
-Samba 4.19.3 - Release Notes
+Samba 4.18.9 - Release Notes
-Samba 4.19.3 Available for Download
+Samba 4.18.9 Available for Download
-https://download.samba.org/pub/samba/stable/samba-4.19.3.tar.gz;>Samba
4.19.3 (gzipped)
-https://download.samba.org/pub/samba/stable/samba-4.19.3.tar.asc;>Signature
+https://download.samba.org/pub/samba/stable/samba-4.18.9.tar.gz;>Samba
4.18.9 (gzipped)
+https://download.samba.org/pub/samba/stable/samba-4.18.9.tar.asc;>Signature
-https://download.samba.org/pub/samba/patches/samba-4.19.2-4.19.3.diffs.gz;>Patch
(gzipped) against Samba 4.19.2
-https://download.samba.org/pub/samba/patches/samba-4.19.2-4.19.3.diffs.asc;>Signature
+https://download.samba.org/pub/samba/patches/samba-4.18.8-4.18.9.diffs.gz;>Patch
(gzipped) against Samba 4.18.8
+https://download.samba.org/pub/samba/patches/samba-4.18.8-4.18.9.diffs.asc;>Signature
==
- Release Notes for Samba 4.19.3
- November 27, 2023
+ Release Notes for Samba 4.18.9
+ November 29, 2023
==
-This is the latest stable release of the Samba 4.19 release series.
+This is the latest stable release of the Samba 4.18 release series.
It contains the security-relevant bugfix CVE-2018-14628:
Wrong ntSecurityDescriptor values for CN=Deleted Objects
@@ -84,11 +84,11 @@ The change should be confirmed with y for all
objects starting with
CN=Deleted Objects.
-Changes since 4.19.2
+Changes since 4.18.8
-o Douglas Bagnall douglas.bagn...@catalyst.net.nz
- * BUG 15520: sid_strings test broken by unix epoch 17.
+o Michael Adam ob...@samba.org
+ * BUG 15497: Add make command for querying Samba version.
o Ralph Boehme s...@samba.org
* BUG 15487: smbd crashes if asked to return full information on close of a
@@ -96,9 +96,6 @@ o Ralph Boehme s...@samba.org
* BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
smb_fname_fsp_destructor().
-o Pavel Filipenský pfilipen...@samba.org
- * BUG 15499: Improve logging for failover scenarios.
-
o Bjrn Jacke b...@sernet.de
* BUG 15093: Files without read attributes NFS4 ACL permission
are not
listed in directories.
@@ -106,14 +103,15 @@ o Bjrn Jacke b...@sernet.de
o Stefan Metzmacher me...@samba.org
* BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
AD LDAP to normal users.
- * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
- accounts.
o Christof Schmitt c...@samba.org
* BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
-o Andreas Schneider a...@samba.org
- * BUG 15513: Samba doesnt build with Python 3.12.
+o Christof Schmitt christof.schm...@us.ibm.com
+ * BUG 15497: Add make command for querying Samba version.
+
+o Martin Schwenke mschwe...@ddn
[SCM] Samba Shared Repository - annotated tag samba-4.18.9 created
The annotated tag, samba-4.18.9 has been created at eeed84fa101a4f76d1c5b81fba82c2c403b86a87 (tag) tagging 2669b77d97b55542b6f2bc80c72cf699399e8ec8 (commit) replaces samba-4.18.8 tagged by Jule Anger on Wed Nov 29 15:35:36 2023 +0100 - Log - samba: tag release samba-4.18.9 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmVnTDgACgkQqplEL7aA tiDoHw//S4LC3VJpCXVANwoGxSWUD4h64QuTgMvBD1pxgAELLCkpS9SHxNY7SYa4 YUPCV3vWsbOvRk/ud1Zp1fuDGh4QRLx3cvG917A77iRkaGjlA7XzwhoCofi+4Hcb 7II26N+3aN7bI9c3kfmYW351EalT5Xg8vHDqEFODRjURZCW1SEF2Zah0HiMiJU/X 7DjesbQLQRgOKWs7VaWkbKDiFvLxoyhY8RqFtlMSYjZPk9qvYwJDTEXkUqvl3tp7 oI2ufB1Xi3w81ruwIv9GH0OpaDyiOTi5ivAcZ3NKKjMXbkYVU/gfQULEu5aTdSzJ TKQtiqmkYmh6y5aBjPZedqIkdrVr3pbDBV80/JrgQPBJRQT1JZRT1Bn9ShPsL8D+ ALyx5V+Rnu7TTMaMrwOse5mefoVvszV/RY5EjBRn4hWhrKnQvkflcnn01LLy8HAn +Tiyfxdx35EsYy7Rh15VwT1xwMHuRnY26SwtBex9e6c9NNDeZGOnzJAkRjSGnoBF vJ9bzV9DilJEySfsWr7JABXKTCqvtpA6hC78j6jc9aNCZCUmEe0nHYiBjfD4P0mo WBHICKQYcb/FkVX4N537hjRTkjLdfsZud3dh1erc8HeHUp06otvV2H8SQ//dIJD0 FrEW0Pb2R6EZS7QePWWEt9XoD5ZP2zY8JdunWtcajQYYfjIphAE= =iIT/ -END PGP SIGNATURE- Andreas Schneider (1): CVE-2023-4154 s4:dsdb:tests: Fix code spelling Andrew Bartlett (13): CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force() CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever. CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup Björn Jacke (1): system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable Christof Schmitt (17): build: Add 'make printversion' to provide version string vfs_gpfs: Use O_PATH for opening dirfd for stat with CAP_DAC_OVERRIDE vfs_gpfs: Move fstatat with DAC_CAP_OVERRIDE to helper function vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstat vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE vfs_gpfs: Move fstatat_with_cap_dac_override to nfs4_acls.c vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function nfs4_acls: Make fstatat_with_cap_dac_override static nfs4_acls: Make stat_with_cap_dac_override static nfs4_acls: Make fstat_with_cap_dac_override static vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions Jeremy Allison (3): CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir. CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code. CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames. Joseph Sutton (2): CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG Jule Anger (6): VERSION: Bump version up to Samba 4.18.8... Merge tag 'samba-4.18.8' into v4-18-stable Merge branch 'v4-18-stable' into v4-18-test VERSION: Bump version up to Samba 4.18.9... WHATSNEW: Add release notes for Samba 4.18.9. VERSION: Disable GIT_SNAPSHOT for the 4.18.9 release. Martin Schwenke (1): ctdb-daemon: Call setproctitle_init() Michael Adam (1): gitignore: add WAF lockfile Ralph Boehme (4): CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file CVE-2023-4091: smbd: use open_access_mask for access check in open_file() s3: smbd: Ignore fstat() error on deleted stream in fd_close(). smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor() Stefan Metzmacher (13): CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
[SCM] Samba Shared Repository - branch v4-18-test updated
The branch, v4-18-test has been updated via 6c06c9ed427 VERSION: Bump version up to Samba 4.18.10... via 2669b77d97b VERSION: Disable GIT_SNAPSHOT for the 4.18.9 release. via 2e5bc96588c WHATSNEW: Add release notes for Samba 4.18.9. from be0b6c4b807 vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log - commit 6c06c9ed427f64034507aea2924d0cb9d0bb3c3e Author: Jule Anger Date: Wed Nov 29 15:24:32 2023 +0100 VERSION: Bump version up to Samba 4.18.10... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit 2669b77d97b55542b6f2bc80c72cf699399e8ec8 Author: Jule Anger Date: Wed Nov 29 15:24:09 2023 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.18.9 release. Signed-off-by: Jule Anger commit 2e5bc96588cb2206abbf11c99d6fdccad73c4405 Author: Jule Anger Date: Wed Nov 29 15:23:30 2023 +0100 WHATSNEW: Add release notes for Samba 4.18.9. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 124 ++- 2 files changed, 123 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 37824cd31dc..ac25cfd99fa 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=18 -SAMBA_VERSION_RELEASE=9 +SAMBA_VERSION_RELEASE=10 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 53fe4eafa72..3c77ebfd0f6 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,124 @@ + == + Release Notes for Samba 4.18.9 + November 29, 2023 + == + + +This is the latest stable release of the Samba 4.18 release series. +It contains the security-relevant bugfix CVE-2018-14628: + +Wrong ntSecurityDescriptor values for "CN=Deleted Objects" +allow read of object tombstones over LDAP +(Administrator action required!) +https://www.samba.org/samba/security/CVE-2018-14628.html + + +Description of CVE-2018-14628 +- + +All versions of Samba from 4.0.0 onwards are vulnerable to an +information leak (compared with the established behaviour of +Microsoft's Active Directory) when Samba is an Active Directory Domain +Controller. + +When a domain was provisioned with an unpatched Samba version, +the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object +instead of being very strict (as on a Windows provisioned domain). + +This means also non privileged users can use the +LDAP_SERVER_SHOW_DELETED_OID control in order to view, +the names and preserved attributes of deleted objects. + +No information that was hidden before the deletion is visible, but in +with the correct ntSecurityDescriptor value in place the whole object +is also not visible without administrative rights. + +There is no further vulnerability associated with this error, merely an +information disclosure. + +Action required in order to resolve CVE-2018-14628! +--- + +The patched Samba does NOT protect existing domains! + +The administrator needs to run the following command +(on only one domain controller) +in order to apply the protection to an existing domain: + + samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix + +The above requires manual interaction in order to review the +changes before they are applied. Typicall question look like this: + + Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? +Owner mismatch: SY (in ref) DA(in current) +Group mismatch: SY (in ref) DA(in current) +Part dacl is different between reference and current here is the detail: +(A;;LCRPLORC;;;AU) ACE is not present in the reference +(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference +(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference +(A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current +(A;;LCRP;;;BA) ACE is not present in the current + [y/N/all/none] y + Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' + +The change should be confirmed with 'y' for all objects starting with +'CN=Deleted Objects'. + + +Changes since 4.18.8 + + +o Michael Adam + * BUG 15497: Add make command for querying Samba version. + +o Ralph Boehme + * BUG 15487: smbd crashes if asked to return
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via c4a5d4eb62f third_party: Update waf to version 2.0.26
from e2651628844 tests: claims blackbox: add device and server silo
restrictions test
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit c4a5d4eb62f371ac6b5194d446f54b1d592bd6cd
Author: Andreas Schneider
Date: Wed Nov 22 13:21:38 2023 +0100
third_party: Update waf to version 2.0.26
https://gitlab.com/ita1024/waf/-/blob/waf-2.0.26/ChangeLog
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andreas Schneider
Autobuild-Date(master): Wed Nov 29 10:47:00 UTC 2023 on atb-devel-224
---
Summary of changes:
buildtools/bin/waf | 2 +-
buildtools/wafsamba/wafsamba.py | 2 +-
third_party/waf/waflib/Context.py| 6 +-
third_party/waf/waflib/Scripting.py | 8 +-
third_party/waf/waflib/Tools/qt5.py | 186 +++---
third_party/waf/waflib/extras/distnet.py | 2 +
third_party/waf/waflib/extras/haxe.py| 261 +--
third_party/waf/waflib/extras/msvs.py| 4 +-
third_party/waf/waflib/extras/sphinx.py | 2 +-
9 files changed, 289 insertions(+), 184 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/bin/waf b/buildtools/bin/waf
index f754b52a7bc..0f70fa21de2 100755
--- a/buildtools/bin/waf
+++ b/buildtools/bin/waf
@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE.
import os, sys, inspect
-VERSION="2.0.25"
+VERSION="2.0.26"
REVISION="x"
GIT="x"
INSTALL="x"
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index c14eb58c879..8c0aa23fe21 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -38,7 +38,7 @@ LIB_PATH="shared"
os.environ['PYTHONUNBUFFERED'] = '1'
-if Context.HEXVERSION not in (0x2001900,):
+if Context.HEXVERSION not in (0x2001a00,):
Logs.error('''
Please use the version of waf that comes with Samba, not
a system installed version. See http://wiki.samba.org/index.php/Waf
diff --git a/third_party/waf/waflib/Context.py
b/third_party/waf/waflib/Context.py
index ee8c5c9c5df..369664819b6 100644
--- a/third_party/waf/waflib/Context.py
+++ b/third_party/waf/waflib/Context.py
@@ -18,13 +18,13 @@ else:
import imp
# the following 3 constants are updated on each new release (do not touch)
-HEXVERSION=0x2001900
+HEXVERSION=0x2001a00
"""Constant updated on new releases"""
-WAFVERSION="2.0.25"
+WAFVERSION="2.0.26"
"""Constant updated on new releases"""
-WAFREVISION="2db0b41b2805cd5db3b55476c06b23c1e46d319f"
+WAFREVISION="0fb985ce1932c6f3e7533f435e4ee209d673776e"
"""Git revision when the waf version is updated"""
WAFNAME="waf"
diff --git a/third_party/waf/waflib/Scripting.py
b/third_party/waf/waflib/Scripting.py
index da83a2166a1..a80cb367867 100644
--- a/third_party/waf/waflib/Scripting.py
+++ b/third_party/waf/waflib/Scripting.py
@@ -388,7 +388,11 @@ class Dist(Context.Context):
for x in files:
archive_name = self.get_base_name() + '/' +
x.path_from(self.base_path)
- zip.write(x.abspath(), archive_name,
zipfile.ZIP_DEFLATED)
+ if os.environ.get('SOURCE_DATE_EPOCH'):
+ # TODO: parse that timestamp
+
zip.writestr(zipfile.ZipInfo(archive_name), x.read(), zipfile.ZIP_DEFLATED)
+ else:
+ zip.write(x.abspath(), archive_name,
zipfile.ZIP_DEFLATED)
zip.close()
else:
self.fatal('Valid algo types are tar.bz2, tar.gz,
tar.xz or zip')
@@ -425,6 +429,8 @@ class Dist(Context.Context):
tinfo.gid = 0
tinfo.uname = 'root'
tinfo.gname = 'root'
+ if os.environ.get('SOURCE_DATE_EPOCH'):
+ tinfo.mtime = int(os.environ.get('SOURCE_DATE_EPOCH'))
if os.path.isfile(p):
with open(p, 'rb') as f:
diff --git a/third_party/waf/waflib/Tools/qt5.py
b/third_party/waf/waflib/Tools/qt5.py
index b3e61325e50..0932e943ae6 100644
--- a/third_party/waf/waflib/Tools/qt5.py
+++ b/third_party/waf/waflib/Tools/qt5.py
@@ -1,10 +1,11 @@
#!/usr/bin/env python
# encoding: utf-8
# Thomas Nagy, 2006-2018 (ita)
+# Rafaël Kooi, 2023 (RA-Kooi)
"""
-This tool helps with finding Qt5 tools and libraries,
-and also provides syntactic sugar for using Qt5 tools.
+This tool helps with finding Qt5 and Qt6 tools and libraries,
+and also provides syntactic sugar for using Qt5 and Qt6 tools.
The following snippet illustrates the tool usage::
@@ -22,6 +23,23 @@
